You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2021/03/03 14:53:12 UTC
svn commit: r1887148 - in /httpd/httpd/trunk:
changes-entries/mod_md-missing-resources.txt modules/md/md_acme.c
Author: jorton
Date: Wed Mar 3 14:53:12 2021
New Revision: 1887148
URL: http://svn.apache.org/viewvc?rev=1887148&view=rev
Log:
Synch from mod_md github:
mod_md: tolerate missing revokeCert or keyChange resource
RFC 8555 ยง7.1 states:
The server MUST provide "directory" and "newNonce" resources.
But RFC 8555 makes no explicit statement anywhere whether other
resources are, or are not, required (with the exception of
"newAuthz" which is optional).
Therefore it is possible that some ACME server implementations may
omit some resources; in particular those that are not an essential
part of the "order" workflow. Indeed, I am working with one such
server implementation, which does not at this time implement
"keyChange". mod_md refuses to interact with this server because it
is checking that a certain set of resources are defined in the
directory object - despite some of those resources not currently
being used.
Update the check to require only "newNonce", "newAccount" and
"newOrder". Omit from the check and therefore tolerate the absense
of resources which are not always required: "revokeCert" and
"keyChange".
If mod_md implements revocation and/or key rollover in the future,
the availability of those features should be predicated on the
server's advertised capabilities.
https://github.com/icing/mod_md/commit/38ff597f3ccb3c942e68701fb185c6a68f0708e4
Submitted by: Fraser Tweedale <ftweedal redhat.com>
Github: closes #122
Added:
httpd/httpd/trunk/changes-entries/mod_md-missing-resources.txt
Modified:
httpd/httpd/trunk/modules/md/md_acme.c
Added: httpd/httpd/trunk/changes-entries/mod_md-missing-resources.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/mod_md-missing-resources.txt?rev=1887148&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/mod_md-missing-resources.txt (added)
+++ httpd/httpd/trunk/changes-entries/mod_md-missing-resources.txt Wed Mar 3 14:53:12 2021
@@ -0,0 +1,2 @@
+ *) mod_md: Tolerate a missing "revokeCert" or "keyChange" resource.
+ [Fraser Tweedale <ftweedal redhat.com>]
Modified: httpd/httpd/trunk/modules/md/md_acme.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/md/md_acme.c?rev=1887148&r1=1887147&r2=1887148&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/md/md_acme.c (original)
+++ httpd/httpd/trunk/modules/md/md_acme.c Wed Mar 3 14:53:12 2021
@@ -726,8 +726,12 @@ static apr_status_t update_directory(con
acme->api.v2.revoke_cert = md_json_dups(acme->p, json, "revokeCert", NULL);
acme->api.v2.key_change = md_json_dups(acme->p, json, "keyChange", NULL);
acme->api.v2.new_nonce = md_json_dups(acme->p, json, "newNonce", NULL);
- if (acme->api.v2.new_account && acme->api.v2.new_order
- && acme->api.v2.revoke_cert && acme->api.v2.key_change
+ /* RFC 8555 only requires "directory" and "newNonce" resources.
+ * mod_md uses "newAccount" and "newOrder" so check for them.
+ * But mod_md does not use the "revokeCert" or "keyChange"
+ * resources, so tolerate the absense of those keys. */
+ if (acme->api.v2.new_account
+ && acme->api.v2.new_order
&& acme->api.v2.new_nonce) {
acme->version = MD_ACME_VERSION_2;
}